{
  "claim_outcome": "not_reproduced",
  "claim_block_reason": "patch_complete",
  "repro_result": "not_reproduced",
  "validated_surface": "api_remote",
  "evidence_scope": "production_path",
  "claimed_impact_class": "xss",
  "observed_impact_class": "xss",
  "exploitability_confidence": "low",
  "attacker_controlled_input": "HTTP GET parameters tested on fixed Tomcat 10.1.56: hint on numguess.jsp; color1/color2/action on colrs.jsp; itemId/submit on carts.jsp",
  "trigger_path": "/examples/jsp/num/numguess.jsp, /examples/jsp/colors/colrs.jsp, /examples/jsp/sessions/carts.jsp",
  "end_to_end_target_reached": true,
  "sanitizer_used": false,
  "crash_observed": false,
  "read_write_primitive_observed": false,
  "exploit_chain_demonstrated": false,
  "blocking_mitigation": "The fix in webapps/examples/jsp/num/numguess.jsp changes <jsp:setProperty name=\"numguess\" property=\"*\"/> to property=\"guess\", preventing request parameters from populating the internal hint property. The other wildcard-binding example JSPs were confirmed not to render attacker-controlled string properties unescaped.",
  "inferred": false
}
